The best article on passphrase strength I have seen is Randall Williams' document, Choosing a strong passphrase.
This document contains a rough reckoner for calculating whether a passphrase is strong or weak. It makes the point that for a passphrase to be as strong as the encryption in PGP, it needs to be 30+ characters long. ! Remembering one or two paintings might not quite cut it.
For most systems, you can safely use shorter passphrases if you are only permitted a limited number of attempts or have no access to the machine (like at a bank) or the passphrase is changed frequently, or if the phrase is truly random.
Regardless, the strength of the passphrase is almost always the weakest link in any security system.
You know, the thing about all this is that in many cases, the victim actually isn't much to blame.
Consider a guy who wants to get on the net, let's call him Harry Homeowner (a la the Reg). He could be somebody's dad, their uncle. Harry goes out and gets himself a Windows PC, gets a broadband account, and hooks it up. He thinks it'd be kewl to put a few photos up on the Net, and so he does. Harry is proud of himself - he's king of the world! Checkout Mr. & Mrs. Homeowners family website!
Nobody tells him he's got to download patches (it doesn't say on the Windows box, "Caution: download 500Mb of files to patch this useless pile of..."). He's lived his whole life never hearing about Microsoft's security problems (big old marketing budget sorted that out). His broadband ISP never tell him about firewalls, or in some cases actively discourage them to reduce support calls. Either way, there's no filtering going on at their end. Regardless, Harry just thinks "hey, I'm too small to be a hackers target" and "Microsoft probably know what they are doing".
How long is it before Harry Homeowner's machine is owned by a worm? Ten minutes? How long til some lee7 kiddie is using it for warez? A week?
He was feeling so cool, and you know what? He was cool. He was just doing what all of us were doing five or six years ago, only back then there were fewer low-lifes around. He made the assumption that the software he was using and his ISP were good enough for the job he wanted to do. He'd have got the hang of stuff soon enough...he just wasn't given the chance. He'll get the PC working again and get a clue, but it won't ever be as much fun for him.
That's why these worms and script kiddies and lame corporate excuses suck. You, me and the rest of the people reading this thread can look after ourselves, but the n00bs should at least get an even break.
Thanks for good heads up on the PHP Unicode issue. Although there are people working hard on the problem, (two unsung heroes) they look like they could definitely use a hand.
Eeek, I hate people who confuse the web with the Internet too. You are right to correct me, Locutis. You could telnet or ip proxy there too, or change a few routing tables if you've got the kit.
By trying to be brief, I almost became a purveyor of an evil heresy...I am so very sorry.
You can reach these "dark spaces" if you know what you are doing. The simplest way is to use an http proxy (or tracert host) in another part of the net, or just use another isp. They are not unreachable in that sense, even though the default route from where you are may not work.
Spammers or system crackers often seem to do the trick of hacking into a set of home user broadband machines, I guess using a trojan or worm, turning them into a chain of proxies, then nailing the router between the last of the proxies and the rest of the net. In this way they make their own dark space.
People gravitate towards languages based on their ability to be proficient at it. No matter how good XML is, people will still use HTML becuase it suits them better, or PHP, or Perl, or C, or Assembly, or freakin Smalltalk if they want.
Totally right. For this reason, I reckon this coming year is going to be huge for Java, Python and PHP. They are so going to be the next big thing.
I appreciate they all suck in some way, Java because it belongs to M$-wannabe Sun, Python because its hard to get fast code, PHP because er...um..(sheesh, it must suck somehow). And of course, they are not C/C++, Perl, and HTML which are the languages of the Gods.
Nevertheless, alot of people find it easy to become proficient in this new wave of languages, and do some pretty cool stuff. They're designed from the ground up to be pervasive. The development environments are awesome and free to download. As the current Internet was built with C/C++, Perl and HTML, so the future one will be built with Java, Python and PHP.
2001 saw the coming of age of the full set of free-to-use security protocols for the Internet, including IPSec (IPSec, network layer encryption), OpenSSL (Transport layer encryption),OpenSSH (application-layer encryption) and OpenPGP(file encryption). Each one of these now has one or more solid open-source implementations. I'm hoping next year these protocols start to become built into mainstream apps.
If Microsoft can stop issuing apps which are holier than the pope, and build these protocols in without any of their usual embrace-and-extend nonsense, and if the Feds can keep their noses out, we might actually get somewhere with network security.
Yeah, I know, "keep dreaming". But I do, you know.
Indeed, as the vendors write the licensing terms, it is in their interests to make them as strict as possible. I love the idea of establishing a buying association around common set of terms and conditions, which might be possible if the power of the vendors is eroded by free software.
Really, though, what is happening is that vendors are moving software from being sold under the laws of contract/copyright to being "intellectual property". The problem with this is that it is very oppressive - it destroys things like "fair use", for example - because IP laws were really framed to protect research material in labs, rather than material published and sold to the public.
So, the same law that would stop a researcher copying the source code of a product and sending it to the competition is now being used to stop a purchaser of software understanding how the software works or making fair use copies.
While breach of a software licence - really just another type of contract - should expose you to a civil liability, it should not leave you liable to a criminal prosecution.
In other words, if I form a contract with a software provider or film company when I license software or content, and I break that contract by making a copy and passing it to another person, they should have the right to be able to sue me for damages. If the contract wasn't fair, the court will throw it out. If it was, they can make me pay up.
What is unacceptable, and an erosion of liberty, is that an unrelated third party - the police - can take action against me, on behalf of the state on this issue. Unless I was using this commercial transaction to commit another crime - like fraud, or murder - it should be nothing to do with them.
We rightly give the police tremendous leeway to detain suspects, confiscate goods and enter property. When this power is used on behalf of one party of a contract, it's very unfair. It's a dangerous extension of state and corporate power vs. the rights of individuals.
Breaking the terms of a software licence is neither "theft" nor "piracy". It's simply breaking the terms of a software licence, a bit of paper that comes in the box, written by the software company.
I was an avid listener when I was 14 (back in 1981), and will be again. Great that it's now being streamed to the world - imagine that, audio being streamed to a global computer network with hundreds of millions of people connected to it. We live in miraculous times.
I think there is, or should be, a line between what is ethical and what is lawful. Breaching your employing company's security policies is certainly unethical: in the end, when you are part of an enterprise, you have a duty to live by its rules on the understanding that these rules are there to protect the organisation from harm. This duty is most relevant when you think these rules are stupid.
With regard to the criminal law, though, the law in Oregon appears flawed in the sense that there appears to be no suggestion that Mr. Schwartz cracked the password file for any other reason than to test the security of the system. There appears to be no motive to steal, or kill, or cover up evidence of a non-computer related crime.
You effectively have a law here which was framed with the external intruder in mind, which when applied to an internal user - one employed to work on the computers of the company - fails the test of reasonability.
Speaking personally, my experience with computer consultants is that playing around with technology and doing things with company systems that they are not supposed to is just what they do, at least the good ones. It is the nature of the beast.
Different countries strike different balances in how they manage the privacy issue. So, although in Britain, closed circuit television is indeed widely used, nobody minds much because car crime, civil disorder and terrorist attacks worry the people there. So, the measure matches the threat.
It's not clear to me what threats an identity chip would reduce. Conversely, its impact on liberty would be very great. The ability to go about your business unobserved and unmolested is not part of freedom - it is freedom.
The answer to "why don't you want this" is to say, its precisely because I am not a terrorist, a pedophile or a criminal, that I have the right to freedom and the will and the means to fight for it.
They are, of course, amazed that the uptake of their services hasn't been all they hoped and that they are losing money. If it wasn't for AOL/TW keeping BT honest, things would be even worse...which gives an idea of just how bad it is here.
Actually, all we are seeing here is a return of the "Fair Use Policy". In the before-time, in the long-long-ago, this kind of approach was how things were regulated on the Internet. Any resource held in common will be overutilised, unless there are economic incentives or rules enforced to stop this happening. DSL connections, where multiple users share a pipe - albeit a thick one - are just such a situation. Great if everyone on the pipe uses it for bursty applications like surfing with a web-browser, lousy if one of your pipe-mates is streaming video to the world.
What sucks is that this is not how home-use broadband is sold. Unfulfilled expectations is a source of unhappiness. Still, my view is that if people want to do what they like with their connections, they should get a T3. If they only want to shell out 40 bucks a month, well, there are going to have to be some restrictions on their use.
The comments in the Mozilla document on templates probably do need updating, perhaps along the lines of limiting oneself to the STL. Assuming people have an ISO-compliant compiler probably isn't a bridge too far these days.
Still, it's a document I often look at - it's a good thing to know its "rules", before then proceeding to deliberately break them.
A firewall in front of a secured network with properly secured servers and databases is going to be much more effective. Ideally, you should be able to take the firewall away and still have no major vulnerabilities showing to the public internet.
The reason for this is that configuring a perfect firewall is near-impossible. Even if it were, it is easy to breach this security by opening the wrong port. If the rest of the infrastructure is secure, though, the firewall becomes a way of covering unanticipated (or as yet undiscovered) security holes. Security systems like firewalls only buy you time: if a new vulnerability appears they will keep you safe until a patch is available, but if you never apply the patch, the firewall will eventually be breached and your data exposed.
You can't rely on security systems to make safe systems which are intrinsically vulnerable. So, a secure database of the kind Oracle are trying to deliver makes a significant contribution to Internet security, even if such systems properly should be behind a firewall.
For C++, Stroustroup's home page offers a solid set of advice and links:
http://www.research.att.com/~bs/C++.html
Since he designed the language, I guess he is authoritative.
If portability is important or if you are likely to Open Source some of your code, Mozilla offers a great style guide for this:
http://www.mozilla.org/hacking/portable-cpp.html
C++ compilers are still contrary beasts, and it is worth being aware of the pitfalls.
A number of the tips, especially the "do's" come from Scott Meyers "Effective C++" series, which has to be recommended for anyone looking to define a common company approach to C++ programming.
A language with even more class features
on
Python 2.2 Released
·
· Score: 1
I'm really pleased to see that they have expanded and tidied up Python's approach to classes and inheritance.
Although its not C++ or Perl (or perhaps because it's not) Python has always struck me as a very wonderful language, being very compact syntax-wise yet having a core containing some of the most powerful features of other languages e.g. OO and lambda functions. It's also got a very solid set of standard modules.
The indenting stuff still throws me, sometimes, though;)
Dynamic, complex systems like the human/computer world, often demonstrate emergent properties. In other words, higher-order levels of organisation spontaneously appear in these systems over time.
For example, peer to peer computing has been known about forever, as has file compression, but who could have predicted the success of MP3 trading over Napster?
Who is to say that the dragons you fight in Everquest today might not take flight above the surface of the earth tomorrow? These are very exciting times.
For a major refit, re-design should be the bigger part of the effort. For one thing, eliminating features or modules that nobody really uses can cut a huge amount of effort. That's not to say code should be thrown out wholesale: quite often real gems that solve real problems are found buried amongst the junk.
They want to rearchitect not just the Internet, but every computer and digital tool on or off the Net that might be used to make unauthorized copies.
They would like that, no doubt. If you consider the article about the content providers vs. the machine makers, none of them give a thought to the end user, except as a patsy to be soaked for cash. The machine makers plainly have no moral objection to controlling users rights, as long as it their technology which is doing the controlling.
The media companies have the budget, the track record and the determination to push this to its bitter end: they should not be underestimated.
Although they'd like to re-architecht it, happily the Internet does not belong to them: it belongs to the end users. At least for now.
Forbidding a general purpose machine because it can be used for an illegal purpose is like forbidding stoves because they can be used to cook hash cakes, or television because it can be used to watch pornography.
Unless a machine is can only be used for lethal or illegal purposes, for example a jet fighter or lockpicks, we absolutely have the right to design, build and use that machine.
I don't think that a good measure of Internet participation is how much you spend buying stuff on it: it's really about the exchange of ideas.
The truth is that people in China cannot yet exchange ideas freely, both because of linguistic barriers and because of social and political controls. So, while they may be on the Internet, their impact on the thought of the wider world must necessarily be limited.
For all Howard's no-doubt genuine enthusiasm, the truth is that because of short-term commercial pressures, Microsoft's priorities have always been:
Number 1. Adding new product features
Number 2. Getting products on the shelves
Number 3. Security
The reason for this is that people can't tell whether a product is secure by looking at reviews or even trying it out (and they sure as hell can't tell by looking at a shrink wrapped box). So, there are very few dollars in it short-term.
Longer term, issues of reputation kick in - and Microsoft are finding that their poor reputation in this area is now biting them, especially as they move into net services.
Unfortunately, turning an entire corporate culture around on a dime is not possible. Even if it was, there's way too much legacy software around, requiring compatability. It will therefore be some time before their product security is all it should be.
Slashdot Mirror
This document contains a rough reckoner for calculating whether a passphrase is strong or weak. It makes the point that for a passphrase to be as strong as the encryption in PGP, it needs to be 30+ characters long. ! Remembering one or two paintings might not quite cut it.
For most systems, you can safely use shorter passphrases if you are only permitted a limited number of attempts or have no access to the machine (like at a bank) or the passphrase is changed frequently, or if the phrase is truly random.
Regardless, the strength of the passphrase is almost always the weakest link in any security system.
Consider a guy who wants to get on the net, let's call him Harry Homeowner (a la the Reg). He could be somebody's dad, their uncle. Harry goes out and gets himself a Windows PC, gets a broadband account, and hooks it up. He thinks it'd be kewl to put a few photos up on the Net, and so he does. Harry is proud of himself - he's king of the world! Checkout Mr. & Mrs. Homeowners family website!
Nobody tells him he's got to download patches (it doesn't say on the Windows box, "Caution: download 500Mb of files to patch this useless pile of..."). He's lived his whole life never hearing about Microsoft's security problems (big old marketing budget sorted that out). His broadband ISP never tell him about firewalls, or in some cases actively discourage them to reduce support calls. Either way, there's no filtering going on at their end. Regardless, Harry just thinks "hey, I'm too small to be a hackers target" and "Microsoft probably know what they are doing".
How long is it before Harry Homeowner's machine is owned by a worm? Ten minutes? How long til some lee7 kiddie is using it for warez? A week?
He was feeling so cool, and you know what? He was cool. He was just doing what all of us were doing five or six years ago, only back then there were fewer low-lifes around. He made the assumption that the software he was using and his ISP were good enough for the job he wanted to do. He'd have got the hang of stuff soon enough...he just wasn't given the chance. He'll get the PC working again and get a clue, but it won't ever be as much fun for him.
That's why these worms and script kiddies and lame corporate excuses suck. You, me and the rest of the people reading this thread can look after ourselves, but the n00bs should at least get an even break.
http://news.php.net/group.php?group=php.i18n&i=195
Interesting to note though that PHP is really big in Japan (albeit customised for the local character set).
By trying to be brief, I almost became a purveyor of an evil heresy...I am so very sorry.
Spammers or system crackers often seem to do the trick of hacking into a set of home user broadband machines, I guess using a trojan or worm, turning them into a chain of proxies, then nailing the router between the last of the proxies and the rest of the net. In this way they make their own dark space.
Totally right. For this reason, I reckon this coming year is going to be huge for Java, Python and PHP. They are so going to be the next big thing.
I appreciate they all suck in some way, Java because it belongs to M$-wannabe Sun, Python because its hard to get fast code, PHP because er...um..(sheesh, it must suck somehow). And of course, they are not C/C++, Perl, and HTML which are the languages of the Gods.
Nevertheless, alot of people find it easy to become proficient in this new wave of languages, and do some pretty cool stuff. They're designed from the ground up to be pervasive. The development environments are awesome and free to download. As the current Internet was built with C/C++, Perl and HTML, so the future one will be built with Java, Python and PHP.
If Microsoft can stop issuing apps which are holier than the pope, and build these protocols in without any of their usual embrace-and-extend nonsense, and if the Feds can keep their noses out, we might actually get somewhere with network security.
Yeah, I know, "keep dreaming". But I do, you know.
Really, though, what is happening is that vendors are moving software from being sold under the laws of contract/copyright to being "intellectual property". The problem with this is that it is very oppressive - it destroys things like "fair use", for example - because IP laws were really framed to protect research material in labs, rather than material published and sold to the public.
So, the same law that would stop a researcher copying the source code of a product and sending it to the competition is now being used to stop a purchaser of software understanding how the software works or making fair use copies.
In other words, if I form a contract with a software provider or film company when I license software or content, and I break that contract by making a copy and passing it to another person, they should have the right to be able to sue me for damages. If the contract wasn't fair, the court will throw it out. If it was, they can make me pay up.
What is unacceptable, and an erosion of liberty, is that an unrelated third party - the police - can take action against me, on behalf of the state on this issue. Unless I was using this commercial transaction to commit another crime - like fraud, or murder - it should be nothing to do with them.
We rightly give the police tremendous leeway to detain suspects, confiscate goods and enter property. When this power is used on behalf of one party of a contract, it's very unfair. It's a dangerous extension of state and corporate power vs. the rights of individuals.
Breaking the terms of a software licence is neither "theft" nor "piracy". It's simply breaking the terms of a software licence, a bit of paper that comes in the box, written by the software company.
I was an avid listener when I was 14 (back in 1981), and will be again. Great that it's now being streamed to the world - imagine that, audio being streamed to a global computer network with hundreds of millions of people connected to it. We live in miraculous times.
With regard to the criminal law, though, the law in Oregon appears flawed in the sense that there appears to be no suggestion that Mr. Schwartz cracked the password file for any other reason than to test the security of the system. There appears to be no motive to steal, or kill, or cover up evidence of a non-computer related crime.
You effectively have a law here which was framed with the external intruder in mind, which when applied to an internal user - one employed to work on the computers of the company - fails the test of reasonability.
Speaking personally, my experience with computer consultants is that playing around with technology and doing things with company systems that they are not supposed to is just what they do, at least the good ones. It is the nature of the beast.
It's not clear to me what threats an identity chip would reduce. Conversely, its impact on liberty would be very great. The ability to go about your business unobserved and unmolested is not part of freedom - it is freedom.
The answer to "why don't you want this" is to say, its precisely because I am not a terrorist, a pedophile or a criminal, that I have the right to freedom and the will and the means to fight for it.
They are, of course, amazed that the uptake of their services hasn't been all they hoped and that they are losing money. If it wasn't for AOL/TW keeping BT honest, things would be even worse...which gives an idea of just how bad it is here.
What sucks is that this is not how home-use broadband is sold. Unfulfilled expectations is a source of unhappiness. Still, my view is that if people want to do what they like with their connections, they should get a T3. If they only want to shell out 40 bucks a month, well, there are going to have to be some restrictions on their use.
Still, it's a document I often look at - it's a good thing to know its "rules", before then proceeding to deliberately break them.
The reason for this is that configuring a perfect firewall is near-impossible. Even if it were, it is easy to breach this security by opening the wrong port. If the rest of the infrastructure is secure, though, the firewall becomes a way of covering unanticipated (or as yet undiscovered) security holes. Security systems like firewalls only buy you time: if a new vulnerability appears they will keep you safe until a patch is available, but if you never apply the patch, the firewall will eventually be breached and your data exposed.
You can't rely on security systems to make safe systems which are intrinsically vulnerable. So, a secure database of the kind Oracle are trying to deliver makes a significant contribution to Internet security, even if such systems properly should be behind a firewall.
http://www.research.att.com/~bs/C++.html
Since he designed the language, I guess he is authoritative.
If portability is important or if you are likely to Open Source some of your code, Mozilla offers a great style guide for this:
http://www.mozilla.org/hacking/portable-cpp.html
C++ compilers are still contrary beasts, and it is worth being aware of the pitfalls.
A number of the tips, especially the "do's" come from Scott Meyers "Effective C++" series, which has to be recommended for anyone looking to define a common company approach to C++ programming.
Although its not C++ or Perl (or perhaps because it's not) Python has always struck me as a very wonderful language, being very compact syntax-wise yet having a core containing some of the most powerful features of other languages e.g. OO and lambda functions. It's also got a very solid set of standard modules.
The indenting stuff still throws me, sometimes, though ;)
For example, peer to peer computing has been known about forever, as has file compression, but who could have predicted the success of MP3 trading over Napster?
Who is to say that the dragons you fight in Everquest today might not take flight above the surface of the earth tomorrow? These are very exciting times.
They would like that, no doubt. If you consider the article about the content providers vs. the machine makers, none of them give a thought to the end user, except as a patsy to be soaked for cash. The machine makers plainly have no moral objection to controlling users rights, as long as it their technology which is doing the controlling.
The media companies have the budget, the track record and the determination to push this to its bitter end: they should not be underestimated.
Although they'd like to re-architecht it, happily the Internet does not belong to them: it belongs to the end users. At least for now.
Forbidding a general purpose machine because it can be used for an illegal purpose is like forbidding stoves because they can be used to cook hash cakes, or television because it can be used to watch pornography.
Unless a machine is can only be used for lethal or illegal purposes, for example a jet fighter or lockpicks, we absolutely have the right to design, build and use that machine.
We need the will to stop this right being eroded.
I don't think that a good measure of Internet participation is how much you spend buying stuff on it: it's really about the exchange of ideas.
The truth is that people in China cannot yet exchange ideas freely, both because of linguistic barriers and because of social and political controls. So, while they may be on the Internet, their impact on the thought of the wider world must necessarily be limited.
Number 1. Adding new product features
Number 2. Getting products on the shelves
Number 3. Security
The reason for this is that people can't tell whether a product is secure by looking at reviews or even trying it out (and they sure as hell can't tell by looking at a shrink wrapped box). So, there are very few dollars in it short-term.
Longer term, issues of reputation kick in - and Microsoft are finding that their poor reputation in this area is now biting them, especially as they move into net services.
Unfortunately, turning an entire corporate culture around on a dime is not possible. Even if it was, there's way too much legacy software around, requiring compatability. It will therefore be some time before their product security is all it should be.
Or, "Dirty Media Corporations Again." Music just wants to be free, baby!